b'                                                                 Issue Date\n                                                                 March 18, 2010\n                                                                 Audit Report Number\n                                                                 2010 BO 0002\n\n\n\n\nTO:        William H. Eargle, Jr., Deputy Assistant Secretary for Operations, Office of\n             Community Planning and Development, DO\n\n\nFROM:      John A. Dvorak, Regional Inspector General for Audit, (Boston) Region 1,\n              1AGA\n\n\nSUBJECT: HUD\xe2\x80\x99s Office of Community Planning and Development Had Established and\n           Implemented an Appropriate Risk Assessment Process\n\n\n                                   HIGHLIGHTS\n\n What We Audited and Why\n\n            We reviewed the U.S. Department of Housing and Urban Development\xe2\x80\x99s (HUD)\n            Office of Community Planning and Development\xe2\x80\x99s (CPD) risk assessment\n            process. We initiated the review as part of the activities in our fiscal year 2010\n            annual audit plan. Our objective was to determine whether CPD had established\n            and properly implemented a risk assessment process that used appropriate\n            measures to determine risk and identify grantees for monitoring.\n\n\n\n What We Found\n\n\n            CPD had established and implemented a risk assessment process that used\n            relevant assessment factors to determine risk and identify grantees for monitoring.\n            We identified and reviewed risk assessment factors in existence, evaluated\n\n\n\n                                             1\n\x0c           whether they were adequate, and considered additional factors required under the\n           American Recovery and Reinvestment Act 0f 2009.\n\n           The risk assessment factors in place were adequate to identify grantees for\n           appropriate monitoring. Additionally, the risk analyses prepared annually were\n           used to select grantees for later monitoring.\n\n\nWhat We Recommend\n\n\n           There are no recommendations made in this report since no reportable\n           deficiencies were identified.\n\n\n\nAuditee\xe2\x80\x99s Response\n\n\n           We provided our discussion draft audit report to the Deputy Assistant Secretary\n           for Operations, CPD, on March 2, 2010. An exit conference was held on March\n           16, 2010. This report did not require a response from the auditee and no formal\n           comments were received.\n\n\n\n\n                                           2\n\x0c                        TABLE OF CONTENTS\n\nBackground and Objective                    4\n\nResults of Audit                            5\n\nScope and Methodology                       7\n\nInternal Controls                           8\n\n\n\n\n                                3\n\x0c                       BACKGROUND AND OBJECTIVE\n\nThe U.S. Department of Housing and Urban Development\xe2\x80\x99s (HUD) Office of Community\nPlanning and Development (CPD) each year issues a notice providing a methodology for\nconducting risk analyses for formula and competitive grantees and establishes monitoring\npriorities within available resources. For fiscal years 2010 and 2011, CPD issued Notice 09-04\n(Implementing Risk Analyses for Monitoring Community Planning and Development Grant\nPrograms in FY 2010 and 2011). This risk analysis process was incorporated into CPD\xe2\x80\x99s Grants\nManagement Process system, a computer-based information system that is used to provide a\ndocumented record of conclusions and results.\n\nThe notice is intended to augment the departmental policy contained in Handbook 1840.1, REV-\n3, Departmental Management Control Program Handbook, which requires the development of\nrisk-based rating systems for all programs and is incorporated into Handbook 6509.2, REV-5,\nCommunity Planning and Development Monitoring Handbook. The major steps for\nimplementing risk-based monitoring include\n\n       \xe2\x80\xa2   Developing risk-based rating systems for program grantees,\n       \xe2\x80\xa2   Rating and selecting grantees for monitoring,\n       \xe2\x80\xa2   Identifying program risks and setting monitoring objectives, and\n       \xe2\x80\xa2   Documenting the process and recording the rationale for choosing grantees.\n\nEach CPD field office is responsible for conducting risk analyses and developing monitoring\nstrategies and an office work plan encompassing grantees and programs to be monitored during\nthe fiscal year. Headquarters establishes the completion dates for risk analyses and work plans\neach fiscal year. The purpose of a monitoring strategy is to define the scope and focus the\nmonitoring efforts, including establishing a framework for determining the appropriate level of\nmonitoring for grantees consistent within available resources. The work plan documents the\nfield office decisions regarding where to apply staff and travel resources for monitoring, training,\nand/or technical assistance.\n\nRisk analysis preformed is intended to provide the information needed for CPD to target its\nresources to grantees that pose the greatest risk to the integrity of its programs, including\nidentification of the grantees to be monitored on site and remotely, the program areas to be\ncovered, and the depth of the review. The selection process should result in identifying those\ngrantees and activities that represent the greatest vulnerability to fraud, waste, and\nmismanagement. For monitoring the administration of CPD programs, HUD uses Handbook\n6509.2, rev 5. To address the requirements of the American Recovery and Reinvestment Act of\n2009 (ARRA) funded CPD programs, HUD has outlined its monitoring steps in its draft revision\n6 to HUD Handbook 6509.2, chapter 8. This draft specifically addresses ARRA requirements\nfor all CPD programs funded under ARRA.\n\nOur objective was to determine whether CPD had established and properly implemented a risk\nassessment process that used appropriate measures to determine risk and identify grantees for\nmonitoring.\n\n\n                                                 4\n\x0c                                RESULTS OF AUDIT\n\nCPD Had Established and Implemented an Appropriate Risk\nAssessment Process To Determine Risk and Identify Grantees for\nMonitoring\nCPD had established and implemented a risk assessment process that used appropriate\nassessment factors to determine risk and identify grantees for monitoring. The risk analyses\nprepared were directly related to the grantees selected for later monitoring. Additionally, HUD\xe2\x80\x99s\nOffice of Policy Development and Research (PD & R) recently reviewed the effectiveness of the\nrisk analysis process used by CPD and recommended adjustments to the process to save time and\nmaintain a standardized system for assessing risk. Although we were not involved in the work\nperformed by PD & R, we acknowledge the potential benefit that its assessment may have when\nconsidered and implemented by CPD.\n\n\n\n CPD Had Established an\n Appropriate Risk Assessment\n Process\n\n\n              CPD had established and implemented a risk assessment process that used\n              appropriate assessment factors to determine risk and identify grantees for\n              monitoring. We identified and reviewed risk assessment factors in existence,\n              evaluated whether they were adequate, and considered additional factors required\n              under the American Recovery and Reinvestment Act of 2009 (ARRA). The risk\n              assessment factors in place were adequate to identify grantees for appropriate\n              monitoring. Additionally, the risk analyses prepared annually were used by the\n              field office to identify and select the grantees for later monitoring. However,\n              considering the number of subfactors needing assessment for each program and\n              grantee, the time required to complete each risk analysis could be considerable.\n\n\n\n PD & R Reviewed CPD\xe2\x80\x99s Risk\n Assessment Process\n\n\n\n\n              CPD reviews the risk assessment process before issuing its notice to the field each\n              year. However, this past year, PD & R was asked to review the risk-based\n              monitoring of CPD\xe2\x80\x99s formula grants. A December 2009 PD & R report for this\n              review stated that the risk analysis process was successful and was identifying\n\n\n                                               5\n\x0c             programs that were more likely to have findings, but it noted some concerns and\n             made recommendations.\n\n             The report recommended some adjustments to the risk analysis process that could\n             save time and maintain a standardized system for assessing risk including:\n\n                \xe2\x80\xa2   Use fewer subfactors, which simply and directly estimate staff capacity,\n                    program complexity, and past performance.\n                \xe2\x80\xa2   Develop a subfactor to explicitly incorporate the judgment of the evaluator\n                    and/or CPD management representative.\n                \xe2\x80\xa2   Ensure strict adherence to limited exception criteria.\n                \xe2\x80\xa2   Randomly sample low- and medium-risk grantees for monitoring.\n                \xe2\x80\xa2   Increase reliance on remote monitoring for low- and medium-risk\n                    grantees.\n\n             The report stated that the greatest benefit of these changes would be a reduction in\n             the time and resources required for risk analysis and monitoring. Although we\n             did not independently assess the potential improvements put forth by PD & R, we\n             believe that HUD is taking an active approach in continually seeking to improve\n             the risk analysis process for identifying high-risk grantees for monitoring. We\n             further recognize the potential benefit that PD & R\xe2\x80\x99s assessment may have when\n             considered by CPD.\n\n\nConclusion\n\n\n\n             CPD had established and implemented a risk assessment process that used\n             appropriate assessment factors to determine risk and identify grantees for\n             monitoring. HUD also evaluates the process periodically to determine whether\n             improvements or changes are needed.\n\n\nRecommendations\n\n\n\n             Our audit did not identify any reportable deficiencies, and therefore, there are no\n             recommendations.\n\n\n\n\n                                               6\n\x0c              SCOPE AND METHODOLOGY\n\nOur survey generally covered the period July 1 through December 31, 2009. To accomplish the\nsurvey objectives, we\n\n   \xe2\x80\xa2   Obtained an understanding of the controls related to the audit objective and the controls\n       significant to the audit objective.\n   \xe2\x80\xa2   Reviewed applicable criteria: the Housing and Economic Recovery Act of 2008\n       (HERA), ARRA, Office of Management and Budget guidance, headquarters CPD\n       guidance regarding risk assessments/monitoring, and local CPD guidance regarding risk\n       assessments/monitoring.\n   \xe2\x80\xa2   Contacted CPD office staff and discussed and documented the risk assessment process\n       for programs and grantees. We also discussed with the Hartford, CT, and Boston, MA,\n       CPD staff members their opinions on the risk assessment process.\n   \xe2\x80\xa2   Discussed and documented additional steps in the risk assessment process with respect to\n       funding received from the two stimulus funding packages (i.e., HERA and ARRA).\n   \xe2\x80\xa2   Obtained and documented the risk analyses prepared by program/grantee for the\n       Hartford, CT, CPD field office.\n   \xe2\x80\xa2   Identified and reviewed risk assessment factors in existence, evaluated whether they were\n       adequate, and considered additional factors required under ARRA.\n   \xe2\x80\xa2   Determined the relationship between the risk assessments and grantees selected for later\n       monitoring.\n   \xe2\x80\xa2   Obtained and reviewed the report prepared by PD&R regarding the effectiveness of the\n       risk analysis process used by CPD.\n\n\nWe conducted the audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective.\n\n\n\n\n                                                7\n\x0c                              INTERNAL CONTROLS\n\nInternal control is an integral component of an organization\xe2\x80\x99s management that provides\nreasonable assurance that the following controls are achieved:\n\n   \xe2\x80\xa2   Program operations,\n   \xe2\x80\xa2   Relevance and reliability of information,\n   \xe2\x80\xa2   Compliance with applicable laws and regulations, and\n   \xe2\x80\xa2   Safeguarding of assets and resources.\n\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet its\nmission, goals, and objectives. They include the processes and procedures for planning,\norganizing, directing, and controlling program operations as well as the systems for measuring,\nreporting, and monitoring program performance.\n\n\n\n Relevant Internal Controls\n              We determined that the following internal controls were relevant to our audit\n              objectives:\n\n              \xe2\x80\xa2       Policies and procedures that management has implemented to ensure that\n                      CPD staff members are made aware of and trained/supervised regarding\n                      any changes to existing programs, the addition of new programs, and any\n                      revisions to existing worksheets/factors or new worksheets/factors, as they\n                      relate to the risk assessment evaluation, to ensure compliance with HUD\n                      requirements.\n\n              \xe2\x80\xa2       Policies and procedures that management has implemented to ensure that\n                      risk assessments are reviewed for accuracy and completeness to minimize\n                      errors and omissions that may result in an inaccurate risk assessment.\n\n              We assessed the relevant controls identified above.\n\n              A significant weakness exists if management controls do not provide reasonable\n              assurance that the process for planning, organizing, directing, and controlling\n              program operations will meet the organization\xe2\x80\x99s objectives.\n\n\n Significant Weaknesses\n\n\n              Based on our review, no significant weakness was noted.\n\n\n\n                                                8\n\x0c'